CVE-2019-25739

MEDIUM

GigToDo Freelance Marketplace Script 1.3 Persistent XSS

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25739. PoCs published by m0ze.

AI-analyzed exploit summary The exploit demonstrates a persistent XSS vulnerability in GigToDo Freelance Marketplace Script v1.3. It requires user interaction to inject malicious JavaScript payloads into the 'Proposal's Description' field, which executes when viewed by other users.

Description

GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects.

Exploits (1)

exploitdb WORKING POC
by m0ze · textwebappsphp
https://www.exploit-db.com/exploits/47185

The exploit demonstrates a persistent XSS vulnerability in GigToDo Freelance Marketplace Script v1.3. It requires user interaction to inject malicious JavaScript payloads into the 'Proposal's Description' field, which executes when viewed by other users.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: GigToDo - Freelance Marketplace Script v1.3
Auth required
Prerequisites: registered user account · access to proposal creation page
devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-47185
https://www.exploit-db.com/exploits/47185
Product product
Official Product Homepage
https://www.gigtodoscript.com
Third Party Advisory third-party-advisory
VulnCheck Advisory: GigToDo Freelance Marketplace Script 1.3 Persistent XSS
https://www.vulncheck.com/advisories/gigtodo-freelance-marketplace-script-persistent-xss

Scores

CVSS v3 5.4
EPSS 0.0017
EPSS Percentile 6.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Gigtodoscript/GigToDo < 1.3
Published Jun 04, 2026
Tracked Since Jun 04, 2026